I am trying to link events from two separate sourcetypes together that have different fields available. The "corps_app_error" sourcetype only has ReqId available, while the "corps_app_audit" sourcetype has both ReqId and trackerid. I want all events with the same trackerid or ReqId to become a single transaction. I then want to find all transactions with both sourcetypes within them (To find which transactions had errors essentially).

However, when I do a search with two "transaction" strings the results go blank. An OR within the transaction doesn't appear to give me the results I'm after as well.

sourcetype="corps_app_error" OR (sourcetype="corps_app_audit" operation=CreatePIN ref_operation=CreatePIN step=Resolve) | transaction keepevicted=true ReqId | transaction keepevicted=true trackerid | search sourcetype="corps_app_audit" AND sourcetype="corps_app_error"

Any suggestions?

The first answer doesn't seem to work for me. If I do the search:

sourcetype="corps_app_error" OR (sourcetype="corps_app_audit" operation=CreatePIN step=Resolve method=NBPart OR method=RtlCust OR method=eWPEmp begin) | transaction keepevicted=true ReqId | search sourcetype="corps_app_audit" AND sourcetype="corps_app_error" trackerid="4c24c2810a060c7c20005f3a0016aa33" | transaction keepevicted=true trackerid

I get 1 result and it tells me 1 event showing yet I can't see any events listed. Basically the events pane is blank.

While if I do the search:

sourcetype="corps_app_error" OR (sourcetype="corps_app_audit" operation=CreatePIN step=Resolve method=NBPart OR method=RtlCust OR method=eWPEmp begin) | transaction keepevicted=true ReqId trackerid | search sourcetype="corps_app_audit" AND sourcetype="corps_app_error" trackerid="4c24c2810a060c7c20005f3a0016aa33"

I get 9 results and the trackerid's are not combined into a single transaction like I expect them to be.